How to Conduct Incident Response Tabletop Exercises

Cyber attacks can induce panic and extreme stress, which is the goal of attackers. After all, when you're flustered and backed into a corner, you're much more likely to make poor split-second decisions. Hackers prey on this, hoping you concede to their payout demands out of desperation.

To avoid panicking in the event of an attack, experts recommend conducting cybersecurity tabletop exercise scenarios with your key leaders.

Despite the necessity of these cyber "fire drills", many business leaders don't know where to start. To help you get started, here's an overview of what to know, who to loop in, and how to approach cybersecurity incidents with your team.

What Are the 5 Phases of Disaster Management?

The National Institute of Standards and Technology offers a guide on incident response planning and execution, where it lists key steps as:

1. Preparation
2. Detection
3. Cyber Forensic Analysis
4. Threat Containment, Eradication & Recovery
5. Post-Event Activity

1. Preparation

Preparation ensures you have all the necessary resources and contacts on hand if a cyber incident occurs. Some of these items NIST recommends having readily available include:

• Contact information (and backup contacts) for crucial team members, leadership, cyber insurance providers, law enforcement, etc.
• On-call information for other teams in your business, including details on escalation procedures
• Incident reporting channels such as phone systems, emails, online forms, cloud messaging, etc so people can report incidents (at least one way should offer anonymous reporting)
• Encryption software for secure internal and external communication (with special requirements for federal agencies)
• Designated "war room" where communication and coordination will take place. If this doesn't make sense for you, create a procedure for deciding on a space or primary communication channel for coordination if/when necessary
• Secure storage facility to secure any evidence and sensitive information

NIST also recommends key team members carry smartphones for flexible communication on-the-go.

2. Detection

Detection has a lot to do with the tools you leverage to recognize threats. Experts recommend using Zero Trust as a framework to protect your critical infrastructure. Zero Trust makes it so no user or tool is marked safe or allowed to enter the network without explicit verification from your IT team.

A key component to threat containment is called threat hunting. This is a different approach than traditional anti-virus technology that simply recognizes patterns associated with cyber attacks. Threat hunting actively looks for abnormalities to halt and eradicate them.

Technology like Endpoint Detection & Response (EDR) is a great first line of defense against attacks, including brand-new types of attacks, also referred to as zero-day attacks.

Sources that can help you detect precursors (signs that an attack could occur) and indicators (signs that an attack has occurred) include:

• Intrusion Detection & Prevention Systems (IDSPs)
• Anti-virus software
• Third-party monitoring systems
• Reports from people within or outside your organization

With your team, go over your existing tools that can detect any threats. Run through some cybersecurity tabletop exercise examples. Some scenarios could look like ransomware infections from a clicked phishing email, suspicious files found on a desktop, or endpoint data breaches.

3. Cyber Forensic Analysis

Although you would likely call upon third-party cyber forensic specialists to work with your IT team to uncover crucial details, there are things you can do to prepare. NIST recommends keeping an inventory of necessary hardware and software including:

• Digital forensic workstations and/or backup devices
• Laptops
• Spare workstations, servers, and networking equipment (or the virtual equivalents)
• Blank removable media
• Portable printer to print copies of log files and other evidence from non-networked systems
• Packet sniffers and protocol analyzers to capture and analyze network traffic
• Digital forensic software to analyze disk images
• Removable media with trusted versions of programs to be used to gather evidence from systems
• Evidence-gathering materials such as notebooks, digital cameras, audio recorders, and materials to store collected evidence

4. Threat Containment, Eradication & Recovery

After you've identified the breach and conducted a thorough examination uncovering all available details, what now? The next step is to contain, remediate, and recover from the breach. This is just as crucial as becoming aware of a breach, and critical in minimizing the long-term harm to your business.

During your tabletop exercises, formulate an action plan to recover lost data, reduce or eliminate the need to pay ransomware attackers, and protect compromised individuals. To avoid the possibility of losing data completely, invest in secure data backups that are separate from your main network. This is called network segmentation.

For example, if you've determined that credit card information or social security numbers of your clients or staff have been leaked, contact a credit monitoring service to assist victims. Always have a plan to assist victims in protecting themselves from identity theft, since hackers will often leak or sell this data on the dark web.

During this phase, you will call upon your pre-determined vendors or resources to help eradicate the threat. These might include:

• Cybersecurity experts
• Extortion and ransomware negotiators
• Loss mitigation services
• Cyber insurance providers

These professionals can help you to know what to do, how to approach any given situation, and how to recover lost data or money if possible.

Keep in mind, there's no silver bullet for resolving a cyber crisis. Often, you'll still incur significant financial and/or reputational damage regardless of the help your resources offer. To read about the real costs of a cyber attack, read our blog: What Does a Cyber Breach Cost to Fix in 2024?

5. Post-Event Activity

After an attack, it's important to carefully document everything you uncovered. This will also help with any legal proceedings or insurance claims, so ensure you document as much as you can along the way.

By saving every piece of the story, your team can go over lessons learned to improve your security in the future. According to NIST, your documentation should include things like:

• The current status of the incident
• A summary of the incident and indicators that alerted you to it
• Actions taken by all parties involved
• Contact information for all those involved
• A list of evidence gathered
• Next steps to take in the future

What Does Proactive Cybersecurity Entail?

There are a few different approaches you can take to cybersecurity- proactive and reactive. Reactive cybersecurity typically happens after you've already suffered an attack, which can look like:

• Ransomware negotiation services
• Disaster recovery
• Cyber forensics

Although there is still a need for reactive measures after an attack, experts say it's best to reduce risk before you become a victim. Proactive cybersecurity involves implementing cybersecurity tools and best practices to stop cyber criminals in their tracks before they can cause harm. This might include:

• Zero Trust Infrastructure
• Tools like multifactor authentication, endpoint detection & response technology, and firewalls
• Strong password requirements & frequent reset policies
• Mandatory and frequent cybersecurity training for all employees

How to Create an Incident Response Plan That Makes Sense For You

Now that you have a framework to conduct your tabletop exercises, you can begin evaluating your current cybersecurity posture to find any gaps. By understanding your network's strengths and weaknesses, you'll have an edge to defend your livelihood from hackers who aim to threaten it.

If you're ready to dive into cybersecurity by learning where you stand, click the button below to speak to an expert about a cybersecurity audit.